Bybit reels from $1.5B hack by North Korea

The record-setting hack of the Bybit digital asset exchange and the ensuing calls to roll back the Ethereum network (again) prove the need for proper legal recourse when customers are illegally deprived of their assets.

Panic spread through the ‘crypto’ world on February 21 after Bybit was hacked for over $1.4 billion worth of Ethereum’s ETH token, the largest exploit of its kind—in crypto or beyond. The role of crypto Paul Revere was played by blockchain researcher @ZachXBT, who almost immediately flagged North Korea’s infamous Lazarus Group of hackers as the culprits behind the Bybit exploit.

Bybit CEO Ben Zhou confirmed the exploit, which occurred as the exchange was transferring tokens from an ETH multi-sig cold wallet to its ‘warm’ wallet. The exploiters had installed malicious code that allowed Bybit staff to see what they believed was occurring.

But behind the scenes, the hackers were altering the smart contract logic to grant themselves access to Bybit’s cold wallet. The entirety of the wallet’s contents were then transferred to a different wallet outside Bybit’s control.

Bybit tried to calm the waters by insisting that all customer funds were safe, but customers understandably freaked out and began flooding the exchange with withdrawal requests. Later, on a livestream, Zhou said 70% of these withdrawals had been “approved and processed” but warned that “network congestion” meant customers might have to wait a few hours to be reunited with their funds.

Bybit later said it had secured a “bridge loan” to ensure it had enough ETH to process ‘in-kind’ withdrawals. Lookonchain reported that Bybit had received nearly 447,000 ETH via “loans, whale deposits and ETH purchases” from Galaxy Digital, FalconX, Wintermute and others. By late Sunday, Zhou claimed the site was back to “100% 1:1 on client assets,” and all withdrawals were processing as normal. 

While Zhou insisted that Bybit’s ETH wallet was the only one of its access points to be compromised in this fashion, not everyone is convinced. The thinking goes, if Lazarus could boldly infiltrate and exploit the exchange without Bybit’s knowledge, how could it be sure that additional vulnerabilities aren’t lurking in its existing hardware, servers, and other infrastructure?

There are also suspicions that Bybit may have one or more moles in their midst. North Korea has become infamous for sending members of its hacking groups out into the wild with fake documentation/backstories seeking jobs at blockchain projects. Once onboarded, they have a greater capacity to probe for flaws in security protocols with predictable results.

As far as most Bybit customers are concerned, the immediate crisis is past. That said, Bybit still has a $1.4 billion hole in its books; it’s just been papered over by new debt and other obligations.

Kim Jong-unbelievable

While everyone was focused on getting their money off Bybit as fast as possible, the hackers were busy laundering their ill-gotten gains.

First, they split the stolen ETH into smaller chunks, which were then transferred to dozens of wallets. After that, the tokens were sent to various Ethereum-based decentralized finance (DeFi) platforms, including Sky (the rebranded MakerDAO), OKX DEX and Uniswap.

The hackers’ initial focus appears to have been on swapping ETH for DAI, the MakerDAO/SKY-issued decentralized stablecoin that lacks the ability to freeze tokens on-chain. Blockchain researchers Elliptic later reported that, given Lazarus’s traditional methods, the next step would be to send tokens to coin mixers. Lazarus has previously been flagged for using mixers like Tornado Cash to obfuscate the trail of their getaway cars. (Good thing U.S. courts have taken a shine to Tornado Cash, huh?)

Bybit has offered a bounty of up to 10% of recovered tokens and publicly thanked several DeFi entities—as well as the Tether stablecoin issuer for freezing 181,000 USDT—for doing what they could to stem this tide.

Responding to allegations by ZachXBT (and others) regarding its role in this affair, eXch insisted that it “is NOT laundering money for Lazarus/DPRK.” eXch added that it had only processed an “insignificant portion of funds from the ByBit hack” and said the fees derived from this “isolated case” would be “donated for the public good.”

Does anyone have one of those Men in Black memory-wiping thingies?

The sheer scale of the heist, along with the fact that it was entirely focused on ETH, led to calls for Ethereum’s gatekeepers to take a page out of history and roll the network back to its pre-hack state to ‘undo’ the theft. 

In 2016, Ethereum chose that nuclear option following the exploit of TheDAO, a decentralized autonomous organization that lost 3.6 million ETH. That was 9x the number of ETH tokens stolen from Bybit, although ETH was worth only a fraction of its current value in 2016.

Following a contentious vote in which ETH whales were given a greater say than the plebs, the network underwent a hard fork that returned the tokens to their rightful owners. However, a vocal minority insisted this violated the ‘code is law’ tenet and chose to stick with the original network, which was renamed Ethereum Classic.

While the suggestion of a new hard fork was raised almost immediately following news of Bybit’s victimization, nobody expects Ethereum to go through all that again. For one thing, TheDAO’s smart contract imposed a month-long pause on transactions, meaning the stolen tokens were still technically there, just inaccessible absent the fork. Meanwhile, the Bybit tokens are being moved and converted as we speak.

That said, calls for a rollback would have been much louder had Bybit not taken the as-yet-not-completely-understood financial steps to ensure customers weren’t left holding the (empty) bag. The price of ETH, which took a precipitous dip as news of the hack broke, recovered most of its losses, only to sink again on February 24 after people remembered it was still ETH. 

A better way

Imagine that Bybit’s losses involved a different token on a different chain, one that required its nodes—including the entities responsible for processing transactions—to abide by a set of Network Access Rules (NAR). These rules would ensure an honest, law-abiding network environment, offering users greater transparency and a degree of confidence that’s sorely lacking in most other chains.

Now imagine that this other network has a functional Alert System that can (among other things) sound the alarm when ‘crypto crooks’ get their hands on tokens that don’t belong to them. A system that could signal network nodes to freeze tokens in place before the bad guys can direct their stolen loot into a coin mixer or cross-chain bridge.

Now, imagine that this network can utilize these rules and tools to provide a service called Digital Asset Recovery (DAR). This allows theft victims to make a complaint, which would be investigated thoroughly to ensure that the victim has a rightful claim to the tokens in question.

A court order is then obtained, and the network broadcasts the specifics to the network nodes, which are then obligated to freeze the tokens on-chain. The frozen tokens are then destroyed, and replacements are issued at the tip of the chain to their rightful owner(s), with the full history and origin of the tokens available to all.

Sounds a lot like legitimate legal recourse in real life, doesn’t it? Unless we missed that section of the Bitcoin white paper where it says the network is an anarchic hybrid of Mos Eisley and Thunderdome, it seems like the basic laws of property should still apply on the blockchain, shouldn’t they?

Just sayin’, but if the Bybit scandal had occurred on this network, the uproar wouldn’t have lasted past lunchtime.

Watch: Chronicle Upgrade, Teranode, and Bitcoin Stewardship